Mac malware targeting Tibetan supporters is being served on a website connected to the Dalai Lama. The Dockster Trojan, discovered by researchers at F-Secure, exploits the same Java vulnerability as the virulent Flashback Trojan that hit more than 600,000 OS X users earlier this year.

F-Secure researcher Sean Sullivan said current versions of OS X are not vulnerable; users who have disabled the Java browser plug-in are also not vulnerable. Sullivan said Dockster is “a basic backdoor with file download and keylogger capabilities.”

Sophos, meanwhile, released an analysis of the problem and found two malicious Java applets embedded on the gyalwarinpoche [dot] com website that are serving the malware. Infected machines are susceptible to data theft.Supporters of the Tibetan Government in Exile have been targeted before by similar attacks, including an email-based campaign based in July around the time of the Dalai Lama’s birthday. The emails contained a malicious Microsoft Word attachment that exploited a vulnerability in Common Controls and dropped variants of the Midhos Trojan. In March, a Mac backdoor that was part of the GhostNet campaign against non-governmental organizations supporting Tibet was found.

Dockster, meanwhile, tries to exploit a vulnerability patched in April by Apple. According to CVE 2012-0507, attackers can exploit the hole to bypass Java sandbox restrictions. This is the same hole trampled on by the Flashback Trojan.

Profile Picture: "The Foaming Monk"The Chinese characters are Fo (buddha) and Ming (bright). The image is of a student of Buddhism, who, imagining himself to be a monk, and not understanding the true meaning of the words takes the sound of the words literally. Likewise, People on web forums sometime seem to be foaming at the mouth. Original painting by P.Volker /used by permission.